Google quashes 13 Chrome bugs, adds PDF viewer

Also adds support for Chrome Web Store, hinting at imminent launch

Google on Thursday patched 13 vulnerabilities in Chrome as it shifted the most stable edition of the browser to version 8.

Chrome 8 also debuted Google's built-in PDF viewer, an alternative to the bug-plagued Adobe Reader plug-in, and included support for the still-not-launched Chrome Web Store.

The 13 flaws fixed in Chrome 8.0.552.215 are in a variety of components, including the browser's history, its video indexing and the display of SVG (scalable vector graphics) animations.

Four of the baker's dozen are tagged as "high" level bugs, Google's second-most-serious rating, while five are pegged "medium" and four are labeled as "low."

Google paid $4,000 in bounties to five researchers for reporting vulnerabilities. Since mid-August, Google has handed out over $29,000 in bug bounty payments.

Among the researchers credited with submitting flaws was Nirankush Panchbhai, who works in Microsoft 's vulnerability research group. Panchbhai was not one of the researchers paid a bounty.

Per its practice, Google locked its bug tracking database to bar outsiders from reading the technical details of the vulnerabilities. The company usually unlocks access to a flaw at a later date -- sometimes within weeks, often only after months have passed -- to give users time to update before the hacker-useful information goes public.

The update to the "stable" build -- Google maintains three separate "channels" for Chrome, ranging from stable to "beta" to "dev" -- also included an integrated PDF viewer, which Google first introduced to the dev channel last summer. The viewer renders PDF documents as HTML-based pages, and doesn't require Adobe Reader's free browser plug-in, or any of the alternatives.

The PDF viewer operates within Chrome's "sandbox," a security feature that isolates processes to make it more difficult for malware to affect the browser or infect the computer.

Google also added support for the Chrome Web Store to the browser with version 8. Multiple references to the store, which Google announced last May but has yet to take public, appeared in the Chrome 8 release notes .

That support may mean Google is close to opening the Web Store to customers, who will be able to browser, purchase and download Web applications, including extensions, to run in Chrome and other standards-compliant browsers.

Developers have had access to early versions of the Web Store for several months, but Google has only promised to publicly launch it before the end of the year.

Thursday's update to version 8 came a little more than six weeks after Google released Chrome 7 to the stable channel. Previously, the company said it would refresh the browser every 6-8 weeks.

If the past is any indication, most users will be running Chrome 8 within a couple of weeks.

Last month, Web analytics company Net Applications reported that Chrome's "silent" update mechanism -- unlike other browsers, Chrome automatically updates without any user interaction -- had "almost completely replaced" version 6 with Chrome 7 less than two weeks after the latter's Oct. 19 debut.

Earlier this week, Net Applications reported that Chrome's global share of the browser usage market stood at a record 9.3 per cent .

On Wednesday, Google updated the Windows dev build of Chrome to include a sandbox that shields users from exploits of Adobe Flash Player vulnerabilities.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsGoogleMicrosoftsecuritybrowserssoftwareMalware and Vulnerabilities

More about Adobe SystemsGoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place